Exploit detection of malware and malware families

US 9,773,112 B1
Filed: 09/29/2014
Issued: 09/26/2017
Est. Priority Date: 09/29/2014
Status: Active Grant

First Claim

Patent Images

1. A computerized method for detecting malware comprising:

accessing information associated with one or more observed events, wherein the one or more observed events are associated via one or more observed relationships;

accessing a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack;

based on a correlation between the reference model and the accessed information, inferring that at least a third event of the first plurality of events has occurred or a second relationship between two events of the one or more observed events existed, wherein neither the third event nor the second relationship is indicated by the accessed information;

analyzing (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and including at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; and

responsive to determining the level of correlation is at least the first threshold, determining that a combination of the one or more observed events, the one or more observed relationships, and at least one of the third event that was inferred or the second relationship that was inferred are associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a computerized method comprises, accessing information associated with one or more observed events, wherein one or more of the observed events constitutes an anomalous behavior; accessing a reference model based on a first plurality of events, the reference model comprises a first event of the first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event of the first plurality of events is based on the first event of the first plurality of events, wherein at least one of the first event and the second event constitutes an anomalous behavior; and comparing the information associated with the one or more observed events with the reference model to determine whether at least one observed event of the one or more observed events matches at least one of the first event of the first plurality of events or the second event of the first plurality of events that constitutes the anomalous behavior is provided.

717 Citations

36 Claims

1. A computerized method for detecting malware comprising:
- accessing information associated with one or more observed events, wherein the one or more observed events are associated via one or more observed relationships;
  
  accessing a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack;
  
  based on a correlation between the reference model and the accessed information, inferring that at least a third event of the first plurality of events has occurred or a second relationship between two events of the one or more observed events existed, wherein neither the third event nor the second relationship is indicated by the accessed information;
  
  analyzing (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and including at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; and
  
  responsive to determining the level of correlation is at least the first threshold, determining that a combination of the one or more observed events, the one or more observed relationships, and at least one of the third event that was inferred or the second relationship that was inferred are associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computerized method of claim 1, wherein accessing the information associated with one or more observed events further comprises:
    - accessing one or more particulars of at least a first observed event of the one or more observed events, wherein the analyzing includes analysis of the one or more particulars.
  - 3. The computerized method of claim 1, wherein accessing the reference model further comprises accessing one or more relationships wherein a second relationship of the one or more relationships identifies that a fourth event is based on the first event.
  - 4. The computerized method of claim 1 further comprising:
    - enhancing, the reference model by adding at least an added first event to the reference model as a result of determining whether the level of correlation between at least the one or more observed events and the reference model is at least a second predetermined threshold, the added first event being present in the one or more observed events and not present in the reference model.
  - 5. The computerized method of claim 4 further comprising:
    - enhancing the reference model by adding at least an added first relationship to the reference model as the result of determining whether the level of correlation between at least the one or more observed events and the reference model is at least the second predetermined threshold, the added first relationship being present in the one or more observed events and not present in the reference model.
  - 6. The computerized method of claim 4, further comprising:
    - updating, as a result of the analyzing using the machine learning technique, one or more correlation rules for classifying malware.
  - 7. The method of claim 1 further comprising:
    - generating a visual representation illustrating a potential malware infection based on the analyzing of the information associated with the one or more observed events and the reference model, the visual representation comprising one or more nodal diagrams.
  - 8. The computerized method of claim 1 further comprising:
    - inferring that a second relationship exists without detection between the first event and a fourth event based on the reference model, wherein the second relationship is included in the reference model and the fourth event is included in the one or more observed events.
  - 9. The computerized method of claim 1 further comprising:
    - inferring that a second relationship exists between the first event and the third event, wherein the second relationship is included in the reference model.
  - 10. The computerized method of claim 1 further comprising:
    - generating an interactive display screen that displays a visual representation of the reference model, including the first plurality of events including the first event and the second event, and the first relationship; and
      
      displaying the interactive display screen.
  - 11. The computerized method of claim 10, wherein the interactive display screen further includes a visual representation of the one or more observed events and the third event, the visual representation of the reference and the visual representation of the one or more observed events and the third event displayed in a side-by-side comparison.
  - 12. The computerized method of claim 1, wherein the reference model is accessed from a data store that stores the plurality of reference of models.
  - 13. The computerized method of claim 1, wherein the reference model is selected from a plurality of reference models based on a type of a file included in the information associated with one or more observed events.
  - 14. The computerized method of claim 1, wherein each connection is a causal connection.
  - 15. The computerized method of claim 1, further comprising:
    - generating a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein(1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.

16. A computerized method comprising:
- accessing information associated with a first plurality of observed events comprising a first observed event, a second observed event and an observed relationship that identifies that the second observed event is based on the first observed event;
  
  accessing a reference model of a plurality of reference models, the reference model is based on a second plurality of events comprising a first event, a second event and a relationship that identifies that the second event is based on the first event, wherein a combination of at least the first event, the second event and the relationship indicates a known cyber-attack;
  
  based on a correlation between the reference model and the accessed information, inferring that at least a third event has occurred or a second relationship between two events of the first plurality of observed events existed, wherein neither the third event or the second relationship is indicated by the accessed information;
  
  analyzing the information associated with the first plurality of observed events, and at least one of the third event or the second relationship that were inferred and the reference model to determine whether a level of correlation between (i) the first plurality of observed events, and at least one of the second relationship or the third event, and (ii) the reference model is at least a first threshold;
  
  responsive to determining the level of correlation is at least the first threshold, determining a combination of the first plurality of observed events and at least one of the third event and the second relationship are associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, and the third event is an action or operation resulting from an execution of code.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The computerized method of claim 16, wherein accessing the first set of information further comprises:
    - accessing one or more particulars of at least one of the first observed event or the second observed.
  - 18. The computerized method of claim 16, wherein accessing the reference model further comprises accessing one or more relationships wherein a second relationship of the one or more relationships identifies that a fourth event is based on the first event.
  - 19. The computerized method of claim 16 further comprising:
    - enhancing the reference model by adding, to the reference model, at least a second relationship identifying that the third event is based on the first event, the added second relationship being included in the information associated with the first plurality of observed events.
  - 20. The computerized method of claim 16, wherein each connection is a causal connection.
  - 21. The computerized method of claim 16, further comprising:
    - generating a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein(1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.

22. A system comprising:
- one or more hardware processors; and
  
  a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises(i) an event log to receive and store information associated with one or more observed events, wherein each of the one or more observed events is associated with at least one of an action or operation occurring during computer processing,(ii) a data store to store one or more reference models,(iii) a gathering logic in communication with the data store and the event log that, upon execution by the one or more processors,(a) accesses the information associated with the one or more observed events, and(b) accesses a first reference model of the one or more reference models, wherein a combination of one or more events or one or more relationships included in the first reference model indicates a known cyber-attack, and(iv) a first logic in communication with the data store and the event log control logic that, when executed by the one or more processors, based on a correlation between the first reference model and the accessed information, infers that at least a first inferred event has occurred or a first inferred relationship existed, wherein neither the first inferred event nor the first inferred relationship is indicated by the accessed information; and
  
  (v) a matching logic in communication with the gathering logic that, upon execution by the one or more processors, (1) analyzes the information associated with the one or more observed events, the first inferred event, the first inferred relationship and the first reference model to determine whether a level of correlation between (a) the one or more observed events, and at least one of the first inferred event or the first inferred relationship and (b) the first reference model is at least a first threshold, and (2) responsive to determining the level of correlation is at least the first threshold, determining a combination of the one or more observed events, one or more observed relationships and at least one of the first inferred event or the first inferred relationship is associated with the known cyber-attack,wherein each of the one or more observed events, and the first inferred event is an action or operation resulting from an execution of code, andwherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The system of claim 22, wherein a first reference model of the one or more reference models includes a first event, a second event and a relationship identifying that the second event is based on the first event.
  - 24. The system of claim 22, wherein a first reference model of the one or more reference models includes a mathematical union of a second reference model and a third reference model.
  - 25. The system of claim 22, wherein the accessing of the information associated with the one or more observed events and the accessing of the one or more reference models is triggered by reception of a predetermined amount of data.
  - 26. The system of claim 22, further comprising:
    - the first logic in communication with the data store and the event log control logic that, when executed by the one or more processors, enhances the first reference model by adding at least an added first event to the first reference model, the added first event being included in the information associated with one or more observed events.
  - 27. The system of claim 22, wherein each connection is a causal connection.
  - 28. The system of claim 22, further comprising:
    - a display screen generation logic configured to generate a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the first reference model and the second nodal diagram including the information associated with one or more observed events, wherein(1) the events of the first reference model and the one or more observed events are represented by nodes, and(2) relationships of the first reference model are displayed as connections corresponding to the events of the first reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.

29. A system comprising:
- one or more hardware processors; and
  
  a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprises (i) an event log to store received information associated with one or more observed events, (ii) a data store to store one or more reference models, and (iii) logic that, upon execution by the one or more processors,accesses information associated with one or more observed events, wherein a first observed event and a second observed event are associated via a first observed relationship;
  
  accesses a reference model of a plurality of reference models, the reference model is based on a first plurality of events and comprises a first event, a second event and a first relationship that identifies that the second event is based on the first event, wherein a combination of at least the first plurality of events and the first relationship indicates a known cyber-attack;
  
  based on a correlation between the reference model and the accessed information, infers that at least a third event of the first plurality of events has occurred or a second relationship existed, wherein neither the third event nor the second relationship is indicated by the accessed information;
  
  analyzes (i) the information associated with the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (ii) the reference model to determine whether a level of correlation between (a) the one or more observed events, and at least one of the third event or the second relationship that were inferred, and (b) the reference model is at least a first threshold; and
  
  responsive to determining the level of correlation is at least the first threshold, determines that a combination of the one or more observed events, the one or more observed relationships and at least one of the third event or the second relationship is associated with the known cyber-attack,wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events and the third event is an action or operation resulting from an execution of code.
- View Dependent Claims (30, 31, 32)
- - 30. The system of claim 29 further comprising:
    - the first in communication with the data store and the event log that, when executed by the one or more processors, enhances the first reference model by adding at least third event to the first reference model, the third event being included in the information associated with one or more observed events.
  - 31. The system of claim 29, wherein each connection is a causal connection.
  - 32. The system of claim 29, further comprising:
    - a display screen generation logic configured to generate a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein(1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.

33. A system for detecting malware comprising:
- one or more hardware processors; and
  
  a non-transitory storage module communicatively coupled to the one or more processors, the storage module comprising logic that, upon execution by the one or more processors, performs operations comprising;
  
  observing one or more events during processing of an object within a virtual machine;
  
  selecting a reference model of a plurality of reference models based on the one or more observed events, the reference model comprising a first event of a first plurality of events, a second event of the first plurality of events and a relationship that identifies that the second event is based on the first event, wherein a combination of at least the first event, the second event and the relationship indicates a known cyber-attack; and
  
  based on a correlation between the reference model and the accessed information, inferring that at least a third event has occurred or a second relationship existed, wherein neither the third event not the second relationship is indicated by the accessed information;
  
  analyzing the information associated with the one or more observed events, the reference model, and at least one of the third event or the second relationship to determine whether a level of correlation of (i) the one or more observed events, and at least one of the second relationship or the third event, and (ii) the reference model is at least a first threshold; and
  
  responsive to determining the level of correlation is at least the first threshold, determining a combination of the one or more observed events, and at least one of the third event or the second relationship is associated with the known cyber-attack; and
  
  wherein each of the first relationship and the second relationship comprises a connection that occurs during computer processing between at least two events, andwherein each of the one or more observed events, is an action or operation resulting from an execution of code.
- View Dependent Claims (34, 35, 36)
- - 34. The system of claim 33, wherein the one or more processors and the storage module are included within an endpoint device.
  - 35. The system of claim 33, wherein each connection is a causal connection.
  - 36. The system of claim 33, further comprising:
    - generating a display including a first nodal diagram and a second nodal diagram, the first nodal diagram including the reference model and the second nodal diagram including the information associated with one or more observed events, wherein(1) the events of the reference model and the one or more observed events are represented by nodes, and(2) relationships of the reference model are displayed as connections corresponding to the events of the reference model and relationships corresponding to the one or more observed events are displayed as connections between the one or more observed events.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Rathor, Hirendra, Dalal, Kaushal
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Khan, Sher A

Application Number

US14/500,594
Time in Patent Office

1,093 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2201/86   Event-based monitoring

G06N 20/00   Machine learning

G06N 5/04   Inference or reasoning models

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Exploit detection of malware and malware families

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

717 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Exploit detection of malware and malware families

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

717 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links